Thursday, January 15, 2009

Verified by Visa – verily?

Today I ran into an excellent example of false security – with horrible usability to boot. I was helping my landlady to purchase a laptop online using a Visa card. At the checkout step, a screen appeared that we did not understand. It came from Visa itself and asked for the password associated with the credit card.

But we did read the FAQ that was linked to. As it turned out, this “optional” ‘Verified by Visa’ system makes online purchases more secure. It did not seem at all optional. Well, only more secure then. Right?

Wrong. How exactly does one get a Verified by Visa password? Let's click the “forgot your password” button and find out. To reset the password, you need to specify:

the 3-digit card validation code

your name, as written on the card

the card expiry date

the year and month of your birth

The first three of these four pieces of information are written on your credit card, and also submitted in any web form that involves a credit card purchase. By assumption, an attacker already has this information, or else the extra password protection wouldn't serve any purpose. So the only extra piece of information that is asked for is your birth year and month. Not exactly information that is hard to find, or even to brute-force if you put your mind to it. They might as well have skipped the password and asked for your birth date instead.

But well, it doesn't make you any less secure, so we continued to set up a password. First attempt failed: “use letters and numbers only”. Because, you know, secure passwords do not involve special characters at all. Second attempt: “please use both letters and numbers”. If you're going to use stupid limitations, at least tell me beforehand. Third attempt: “please use between 8 and 12 characters”. By now it seemed more like a CAPTCHA to me.

Then, finally, the password was accepted and we could proceed… to the next error message. Turns out that NoScript blocked the transaction, even with Javascript turned on. If NoScript does that to you, it probably means that you're doing something very, very wrong. But finally, after convincing NoScript that it was okay, the payment got through.

Stupidity can, in rare cases, be forgiven. But not if you're the largest credit card issuer in the world.

About Me

Me elsewhere

Taekwindow

Taekwindow is a small and light Windows program that I wrote. It enables you to move windows by Alt-dragging anywhere in their interior, and resizing by Alt-right-dragging, just like in many X window managers.